Esp-idf: smart config security (IDFGH-121)

Created on 24 Nov 2017 · 7Comments · Source: espressif/esp-idf

I am looking at smart config and wondering how secure it is.

As it seems to me the ssid and password is send cleartext
Is it possible to encrypt the data using an aes key?

Source

tdesmet

Most helpful comment

@tdesmet @b1gtang @SteveOfTheStow @kyrulkamal @thefat32

We will add aes encryption for smartconfig in v4.3, which will called esp-touch-v2

zhangyanjiaoesp on 27 Oct 2020

🚀2 ❤1 😄1

All 7 comments

@tdesmet It is unidirectional communication, you can use fix Key to encrypt the SSID and Password. Smart config is not a standard protocol, blufi will be better than smart config, you can find an example for blufi.

jack0c on 2 Jan 2018

I suggest that the official can add AES encryption in the smart config library, the user can call the API, in order to avoid code redundancy, this part of the code should not be achieved by the users.

b1gtang on 24 Feb 2018

@b1gtang Yes, we are considering make more part of code in smart config open source.

jack0c on 22 Mar 2018

+1 for baking encryption into SmartConfig

SteveOfTheStow on 23 Mar 2018

👍1

Any update regarding this issue?

kyrulkamal on 16 May 2018

As far as I understand, being an unidirectional comm. The best security you could get is a hardcoded key in your mobile app and your ESP firmware. This is not secure at all. It's a bit harder to crack than clear text. But not secure. To make a protocol secure you need to implement a proper handshake between involved parts.